What in the world is this URL?

Discussion in 'privacy problems' started by fergie, Sep 16, 2003.

Thread Status:
Not open for further replies.
  1. fergie

    fergie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    4
    Okay, my roomaates and I share this computer. One of them is an avid viewer of pornography. He was using the comp the other day, and now, in front of every URL is the URL below: **Not work safe, it takes you to a Russian pornography site, and is written in cerillic(sp?).**

    h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?

    and then the URL. I have downloaded and used AdAware and Spyblaster, and it wont get rid of the prefix URL. What do I need to do to get rid of this, as it redirects at random to XXX sites, and I dont like that, and neither does the gf. PLease help me!!! Thanks in advance for any suggestions.

    Fergie

    - disabled the link - LWM
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Hi fergie,

    Posting a HijackThis log is the best way for people to help you with this browser hijack problem.

    Someone should be by soon to help you once you've posted the log.

    Best Wishes,
    LowWaterMark
     
  3. fergie

    fergie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    4
    This is the log. HTH

    Fergie

    PS- Thanks for putting the post in the right spot.
     
  4. FanJ

    FanJ Guest

    Hi,
    I'll let the HijackThis-experts further look at your log.
    But a quick reply: that sexyque site is listed in the IE-SPYAD list that puts it in the restricted zone of IE.
    But that is of later concern, now you must get rid of all the nasties.....
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,874
    Location:
    New England
    Well, the prefixing problem itself is done with those two O13 entries at the bottom of the listing.

    I know for sure you should fix all of these. Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = h..p://www.puh.ru/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = h..p://www.searchaccurate.com/ie2/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = h..p://www.puh.ru/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h..p://www.puh.ru/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h..p://www.puh.ru/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h..p://www.puh.ru/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = h..p://www.puh.ru/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = h..p://www.puh.ru/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = h..p://www.puh.ru/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = h..p://www.puh.ru/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = h..p://www.puh.ru/search.html
    O13 - DefaultPrefix: h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?
    O13 - WWW Prefix: h..p://www.sexyque.com/cgi-bin/proliv/proliv.cgi?

    I don't know if there is more, as there are a couple items in there I don't know, so you should try fixing the ones I note above and see what that does. Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.
     
  6. fergie

    fergie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    4
    Here is the new log. Thanks
     
  7. FanJ

    FanJ Guest

    Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.


    O1 - Hosts: 66.159.20.28 worldsex.com
    O1 - Hosts: 66.159.20.28 www.worldsex.com
    O1 - Hosts: 66.159.20.29 thehun.net
    O1 - Hosts: 66.159.20.29 www.thehun.net

    Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.
     
  8. FanJ

    FanJ Guest

    Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.

    O4 - HKCU\..\Run: [Utopia Angel] C:\UTOPIA\ANGEL\ANGEL.EXE

    Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.
     
  9. FanJ

    FanJ Guest

    Close all windows except for HijackThis, check the following items, and then press "Fix checked" button.


    O2 - BHO: (no name) - {66993893-61B8-47DC-B10D-21E0C86DD9C8} - C:\WINDOWS\SYSTEM\IEHELPER.DLL

    Rebooting and running another HijackThis report will tell us if any of these are going to regenerate because of other hijacks not fixed.

    PS:
    Info at:
    http://www.spywareinfoforum.com/bhos/archives/000170.php
    Quote:
    X {66993893-61B8-47DC-B10D-21E0C86DD9C8}: iehelper.dll - LinkReplacer
    Further info:
    http://www.doxdesk.com/parasite/LinkReplacer.html
     
  10. FanJ

    FanJ Guest

    Hi Fergie,

    Are you using:
    1. firewall
    2. Antivirus program (AV)
    3. AntiTrojan program (AT) ?

    What AV are you using?
    Would you please update your AV with its latest definitions, and then do a full system scan with it, as deep as possible.

    I'm a little bit worried about that angel.exe file.
    Let's do, after you did all the mentioned HijackThis fixes, first a full system scan with your AV.
    Let us know how it goes, please.

    Regards, Jan.
     
  11. fergie

    fergie Registered Member

    Joined:
    Sep 16, 2003
    Posts:
    4
    Norton antivirus, and no AT. Dont know what that is even. Angel is from a game...that I no longer play. Any suggestions as to what AT and new AV to run would be appreciated.

    The weird URL no longer appears, and none regenerate themselves. Thanks for all the help.

    Fergie
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Good job, guys.

    There is one more that is worrying me:
    O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

    It has the same CLSID as the BHO and I think that is too much to be a coincidence.

    Have HijackThis fix that one as well.

    As fo AT and AV's have a look here: http://www.wilders.org/ and follow the links from there.

    Regards,

    Pieter
     
  13. FanJ

    FanJ Guest

    Thanks Pieter :D
    I'm trying to learn it a little bit from you ;)
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Oops,

    This one is bad news too:
    O4 - HKLM\..\Run: [MoviePlace] "C:\Program Files\MoviePlace\MoviePlace.exe" /H

    http://research.pestpatrol.com/PestInfo/Pest_Detail.asp?id=453060662
     
  15. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    One final tip to help you prevent reinfection: close all windows, including HijackThis, but not the one overlooking the street. Throw your roommate out of it.

    :cool:
     
  16. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    CO,

    Hehe ! That's funny !! :D :D

    Hopefully, with no FireWall, the Roomate will pass right through !!

    Thanks for the chuckle !! :D

    regards,
    bill
     
Thread Status:
Not open for further replies.